Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: httpd symlinks

From: jlewis () inorganic5 chem ufl edu (Jon Lewis)
Date: Tue, 5 Sep 1995 00:34:43 -0400

On Mon, 4 Sep 1995, Daniel S. Riley wrote:


Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure
about how CERN handles this).  "SymLinksIfOwnerMatch" is only vaguely
documented.


SymLinksIfOwnerMatch, at least in NCSA httpd 1.4 through 1.5b3, is
also broken.  Here's the bug report I submitted to the ncsa-httpd
team:


I was just fooling around and was shocked to find that
SymLinksIfOwnerMatch is totally broken in the version of Apache I've been
using.  I created a symlink from a public_html dir to / and was able to
see /.  I downloaded/compiled the latest apache and did some testing of
SymLinksIfOwnerMatch with various versions of httpd I had handy and found
the following:

NCSA 1.3        works, even on double symlinks
Apache 0.6.2    works on symlinks, broken for double symlinks
Apache 0.8.8    broken for symlinks and double symlinks
Apache 0.8.11   works, even on double symlinks

By "works", I mean it gave a Forbidden message when the symlink was
tried...by "broken", I mean symlinks were followed when they should not
have been.

------------------------------------------------------------------
 Jon Lewis                      |  Mime attachments are OK
 jlewis () inorganic5 chem ufl edu |  But please ask before sending
 http://inorganic5.chem.ufl.edu |  unsolicited huge files.
                                |
_____Finger jlewis () inorganic5 chem ufl edu for PGP public key_____
Previous By Date Next
Previous By Thread Next

Current thread: